Twitter finally rolls out encrypted direct messages

More than five months after Elon Musk confirmed plans for the feature in November 2022, Twitter officially began rolling out encrypted direct messages (DMs) on the platform.

The "first phase" of this feature will appear as a separate conversation next to a user's inbox. Encrypted chats will have a locked icon to visually distinguish them.

The opt-in feature is currently limited to verified users or verified organizations and affiliates. In addition, both the sender and receiver must be using the latest version of the Twitter app for Android, iOS and clients.

Another criteria for sending and receiving encrypted messages is that the recipient must follow the sender, have sent a message to the sender in the past, or have accepted a direct message request from the sender at some point.

While Twitter did not disclose the exact method it uses to encrypt conversations, the company said it uses a combination of strong encryption schemes to encrypt users' messages, links.

Twitter further emphasized that encrypted chats remain encrypted while stored on its infrastructure and are only decrypted on the recipient's end. The implementation is expected to be open sourced later this year.

That said, the project, which is currently under further development, does not support encrypted group conversations right now, nor does it allow for the exchange of media and other file attachments. Some other notable restrictions are as follows:

· Users can only register up to 10 devices to send and receive encrypted messages.

· New devices (reinstalling the Twitter app) cannot participate in existing encrypted conversations

· Logging out from Twitter will call all messages, including encrypted DMs, to be removed from the current device

Twitter also said that the current architecture does not "offer protections against man-in-the-middle attacks" and does not guarantee forward secrecy, a key security measure that ensures that the compromise of a single session key does not affect data shared in other sessions.

"If the private key of a registered device was compromised, an attacker would be able to decrypt all of the encrypted messages that were sent and received by that device," Twitter said, adding that it does not intend to fix the limitations, but rather to consider a better user experience.